Protected storage device for computer system

ABSTRACT

The invention is a storage device ( 1 ) for a host computer system. The device ( 1 ) incorporates a Supervisor function for controlling access to information stored in a storage medium ( 2 ) of the device. The main embodiment described is a hard disk drive ( 1 ) comprising: one or more disk platters ( 2 ) for storing information; a ROM ( 4 ) for storing firmware for controlling operation of the drive; a volatile RAM ( 5 ); a micro-controller ( 7 ) for controlling the transfer of information to and from the disk platter(s) ( 2 ); and an interface ( 6 ) for interfacing the drive ( 1 ) with the host computer system and via which information is transferred to and from the disk platter(s) ( 2 ) under the control of the micro-controller ( 7 ). A Supervisor is provided in the form of firmware which is preferably stored in the ROM ( 4 ), the Supervisor operating the micro-controller ( 7 ) so as to protect information stored on the disk platter(s).

FIELD OF THE INVENTION

The present invention relates to a method and apparatus for controllingaccess to and corruption of information in a computer system.

BACKGROUND

U.S. Pat. No. 5,657,473 discloses a method and apparatus particularlyconcerned with the detection and containment of hostile programs such as“virus” programs within computer systems, said method including dividingthe information stored on the storage medium into a plurality ofnon-overlapping partitions, including a boot partition and a pluralityof general partitions, each of the partitions being further divided intoa plurality of sectors, any designated subset of the general partitionsbeing active at any given time when the computer system is in use,

-   said invention employing a supervising means (a Supervisor) separate    of the central processing unit (CPU)-   allowing/restricting/prohibiting read/write operations upon the    storage medium depending on whether information to be read from a    sector or written to a sector is in the boot partition, or in a    general partition, and whether the partition is active or inactive,    and-   said supervising means also allowing a format operation only on a    partition which is active and prohibiting a format operation on the    boot partition, or on a general partition if it is inactive.

The described invention preferably uses a second processor which is madeinaccessible to the user and to the virus, supervising all datatransfers between and within sub-divisions of the device or devicesplaced under its control.

The Patent Application-describes, as an example, an embodimentcomprising a printed circuit board assembly containing a dedicatedmicro-controller, used in place of the hard disk controller within thecomputer system.

EP 0 800 135 A1 discloses a method and apparatus for controlling accessto and modification of information stored on a storage medium formingpart of a computer system, said invention including by reference allaspects of the aforesaid invention of U.S. Pat. No. 5,657,473,

-   said invention designating at least one partition a Write Many    Recoverable (WMR) partition wherein, in use, if a write command is    issued to overwrite any resident information stored in a/the WMR    partition by updated information, the updated information is written    on the storage medium in a location other than where any resident    information is stored and a pointer to the updated information is    stored in a Sector Relocation Table (SRT) so that the updated    information can be accessed, as required during the remainder of a    (user) session. An alternative method is also described wherein, if    a write command is issued to overwrite any resident information    stored in a/the WMR partition, prior to undertaking said write    command said information is copied and stored elsewhere on the    storage medium to be copied back to said WMR partition when    required. This could be implemented, for example, by a system reset.

The application describes, as an example, an embodiment comprising aprinted circuit board assembly (PCBA) containing a dedicatedmicro-controller placed in-line between the computer system hard diskdrive controller (often embedded within the computer system motherboard)and the hard disk drive.

The method and apparatus in the aforementioned inventions propose theuse of a second processor separate from the computer system centralprocessing unit (CPU). Although the aforesaid inventions do notspecifically limit their scope to combined hardware and firmwareembodiments, both describe in detail embodiments which include aseparate printed circuit board assembly, placed between the CPU and thestorage medium Such hardware embodiments have the followingdisadvantages: Such hardware embodiments have an associated cost perunit, which results in a base cost for the invention which must be metirrespective of sales volume;

-   Such hardware embodiments must be installed within the computer    system, generally requiring the computer system case to be removed;-   Such hardware embodiments require safety and emission approvals and    require a high level of testing to ensure compatibility across the    wide spectrum of existing computer systems;-   Such hardware embodiments are subject to a level of component    failures.

SUMMARY OF THE INVENTION

It is the subject of the present invention to avoid or minimise one ormore of the aforesaid disadvantages. This document discloses a method(and related apparatus for) incorporating the methods outlined in bothU.S. Pat. No. 5,657,473 and EP 0 800 135 A1 into the storage deviceitself.

Storage devices are frequently intelligent containing their ownprocessor module, this being a potential candidate to undertake thefunctions of a Supervisor as described within the aforesaid inventions.This intelligent module controls the transfer of information to and fromthe storage medium via the interface to the computer system. Accordingto the present invention as defined herebelow, this intelligent moduleis used to allow/restrict/prohibit, read/write operations upon thestorage medium in a manner consistent with the aforesaid inventions.

According to a first aspect of the invention we provide a storage devicefor a host computer system, the storage device comprising: storage meansfor storing information; intelligent means for controlling the transferof information to and from the storage means; and interfacing means forinterfacing the storage device with the host computer system and viawhich information is transferred to and from the storage means under thecontrol of said intelligent means,

-   the storage means comprising: a storage medium divided into a    plurality of non-overlapping partitions; non-volatile    read-only-memory (ROM) means for storing firmware for controlling    operation of the storage device; and volatile random-access-memory    (RAM) means;-   wherein supervising means is incorporated in said storage means for    operating said intelligent means so as to protect information stored    in the storage medium.

The term “information” as used herein is intended to cover information,data and/or program code, any or all of which may be stored in thestorage means.

The supervising means (“Supervisor”) preferably protects the saidinformation by controlling access to and modification thereof inaccordance with pre-programmed protection criteria.

Incorporating the Supervisor within the storage device has the followingadvantages:

-   where an intelligent means is already present on the storage device,    the methods outlined in the aforesaid inventions may be implemented    with no hardware changes to the storage device; physical    installation of a separate PCBA containing the Supervisor is no    longer required; Supervisor firmware may be included within the    storage device during manufacture or may be added by means of a    software utility;-   since a separate PCBA is no longer required, manufacturing costs are    significantly reduced by removing the requirement for additional    hardware components and no additional safety or emission testing is    required over and above that required for the storage device without    Supervisor firmware;-   by removing the requirement for additional circuitry external to the    storage device, there is a reduction in the compatibility issues    that may arise from the diversity of computer systems and storage    device combinations which are possible.

A further advantage is that by incorporating the Supervisor in thestorage device, rather than in additional hardware, this allows theSupervisor to be implemented in laptop, notebook and/or other smallportable computers since there is no extra space required for suchadditional hardware.

In prior art systems in which the Supervisor was provided as additionalhardware located between the storage device and the host CPU, oneproblem was that the computer system could potentially be tampered withso as to remove this additional hardware, in order to make the computersystem operate as normal, without the Supervisor. A further advantage ofthe present invention is that by incorporating the Supervisor within thestorage device, the Supervisor cannot be removed without removing and/ortampering with the storage device itself.

A further significant advantage of the present invention is that whereasin the prior art system the Supervisor hardware was located on theinterface between the storage device and the host CPU, and thereforechanges in this interface (e.g. an increase or change in data flowsacross the interface) required reconfiguration and/or adjustment of datahandling by the Supervisor, in the present invention the Supervisor isindependent of such interface changes by virtue of being incorporated inthe storage device itself. Interface changes thus do not affect theSupervisor.

The storage device may be a hard disk drive. The storage medium maycomprise one or more disk platters. The supervising means is preferablyprovided as firmware which is stored in said non-volatile ROM on thestorage device. It will be appreciated that if an unauthorised user wereto attempt to remove the Supervisor by removing the ROM, this willrender the storage device inoperative.

The intelligent means preferably comprises a processor, often referredto as a micro-controller, which runs the Supervisor firmware stored inthe ROM means. Hard disk drives are now available which incorporate aprinted circuit board assembly (PCBA) including a micro-controller forrunning programs stored in memory means provided on the PCBA. In suchdrives, this processor means may conveniently function as themicro-controller for use in the present invention. The Supervisorfirmware can be stored in non-volatile ROM provided on the PCBA.

Said non-overlapping partitions into which the storage medium is dividedpreferably include a boot partition and at least one general partition,each said partition being divided into a plurality of sectors. Thestorage medium may have a plurality of general partitions definedthereon, any designated subset of which are active at any given time, inuse of the computer system.

Preferably, the supervising means operates said intelligent means so asto allow/restrict/prohibit read/write operations upon the storage mediumdepending upon whether information to be read from a sector or writtento a sector is operating system information or user information, whetherthe sector is in the boot partition or in a general partition andwhether if the partition is a general partition the partition is activeor inactive. The supervising means may also allow a format operationonly on a general partition which is active and prohibit a formatoperation on the boot partition or on a general partition which isinactive. The supervising means preferably also monitors commandspassing through the interfacing means between the storage device and thehost computer system and prevents predetermined potentially disruptiveinterface commands from being implemented. For example, the supervisingmeans may prevent disruptive Vendor Unique Commands or Format Trackcommands from being carried out.

It will be appreciated that the supervising means preferably alsoensures that firmware stored on the ROM means of the storage device,which includes the firmware providing the supervisor means, is alsoprotected in that a user, or a user program operating in the hostcomputer system, does not have access to the ROM means (or the RAMmeans) of the storage device itself and any firmware or other codestored therein is thus unalterable by the user or user program.

Optionally, the supervising means may cause a warning to be issued tothe user should an attempt be made to perform a prohibited read, writeor format operation.

At least one of said partitions of the storage device may comprise aWrite Many Recoverable (WMR) partition wherein, in use if a writecommand is issued to overwrite (i.e. update) any information stored inthe WMR partition the updated information is stored elsewhere on thestorage medium, preferably in a dedicated area of the storage medium,and a pointer to the updated information is provided so the updatedinformation can be accessed as required during the remainder of thesession, wherein a system reset causes the list of pointers to theupdated information, and optionally the updated information itself, tobe cleared.

Where such a WMR partition is provided, the or each said WMR partitionpreferably has a Sector Relocation Table (SRT) associated therewithwhich is held in said volatile RAM means of the storage device, eachentry in a said SRT is a pointer which defines the address of a range ofsectors in the WMR partition that have been updated and an address wherethe updated information is located, this location being within adedicated area on the storage medium which is accessed only by thesupervisor means.

Alternatively, at least one of said partitions of the storage devicecomprises a Write Many Recoverable (WMR) partition wherein, in use, if awrite command is issued to overwrite (i.e. update) any informationstored in a/the WMR partition prior to undertaking said write commandsaid information is copied and stored elsewhere on the storage medium tobe copied back to said WMR partition when required. This could beimplemented, for example, by a system reset.

Where the storage medium comprises at least one disk platter and a bootpartition, said boot partition will include a disk boot sector.According to the present invention, the storage device may be providedwith loader means and said supervising means may be adapted to interceptany request for the disk boot sector, issued by the host computer systemin use thereof, and supply said loader means to satisfy the request. Theloader means is preferably configured to load or transfer apredetermined code segment, which is stored on the storage means, to acentral processing unit (CPU) of the host computer system to be executedby the computer system prior to (normal) operating system boot. Thiscode segment may provide user prompts, and communication with thesupervising means. The loader means is preferably provided in saidnon-volatile ROM of the storage device. Alternatively, said loader meansmay be provided in a reserved area on the storage medium, for example inone or more reserved tracks of a said disk platter of the storagedevice. This reserved area is preferably inaccessible to a user or userprogram (but is accessible to the Supervising means) wherebyunauthorised alteration of the loader means is prevented.

The code segment may be provided in said non-volatile ROM means of thestorage device or, preferably, in a reserved area of the storage mediumwhich is also preferably inaccessible to a user or user program, but isaccessible to the Supervising means, whereby unauthorised alteration ofthe code segment is prevented.

Optionally, the storage device may be placed in either “supervised”mode, in which the supervising means is active, or “unsupervised”, modein which the supervising means is not active. Said code segment, whenexecuted, preferably provides user prompts which allow a user to selecteither “supervised” mode, or by entry of a password select“unsupervised” mode. The code segment is preferably constructed suchthat, subsequent to mode selection by the user, the code segmenttransfers and executes the boot program from the disk boot sector of thestorage medium which, in turn, initiates operating system boot (in thehost computer system) The correct password (for comparison against apassword input by a user) may be stored in said non-volatile ROM of thestorage device or on the storage medium itself.

According to a second aspect of the invention we provide a computersystem incorporating a storage device according to the above-describedfirst aspect of the invention.

According to a third aspect of the invention we provide a method ofcontrolling access to and modification of information stored on astorage medium of a storage device for incorporation in a host computersystem wherein the storage device comprises storage means for storinginformation, intelligent means for controlling the transfer ofinformation to and from the storage means, and interfacing means forinterfacing the storage device with the host computer system and viawhich information may be transferred to and from the storage means underthe control of said intelligent means, and the storage means comprises:a storage medium; non-volatile read-only-memory (ROM) means for storingfirmware for controlling operation of the storage device; and volatilerandom-access-memory (RAM) means;

-   -   the method comprising the steps of:    -   dividing the storage medium into a plurality of non-overlapping        partitions including a boot partition and at least one general        partition, and dividing each said partition into a plurality of        sectors;    -   providing supervising means in said storage means for operating        said intelligent means so as to protect information stored in        the storage medium; and    -   incorporating the storage device in a host computer system, and        running the host computer system with the supervising means        operating said intelligent means so as to protect information        stored in the storage medium.

Preferably said supervising means is provided forallowing/restricting/prohibiting read/write operations upon the storagemedium depending upon whether information to be read from a sector orwritten to a sector is operating system information or user information,whether the sector is in the boot partition or in a general partitionand whether if the partition is a general partition the partition isactive or inactive,

-   said supervising means optionally also allowing a format operation    only on a general partition which is active and prohibiting a format    operation on the boot partition or on a general partition which is    inactive,-   said supervising means being adapted to intercept each interface    request from the host computer system to said storage device,-   and the supervising means, preferably, causing a warning to be    issued to the user should an attempt be made to perform a prohibited    read, write or format operation which operation is prevented by the    supervising means;-   providing a loader means, said supervising means being adapted to    supply said loader means in response to any request, issued by the    host computer system, for the disk boot sector of the boot    partition; and executing the loader means by the central processing    unit (CPU) of the computer system in place of the requested disk    boot sector, the loader sector transferring a code segment stored in    the storage device, preferably in the storage medium thereof, into a    RAM of the CPU for execution thereon, the code segment, when    executed, initiating a user interface procedure, preferably in the    form of user prompts, whereby a user may select one or more    protection options;-   and whereupon, subsequent to a said selection having been made by    the user, said code segment transfers the disk boot program stored    in the disk boot sector as originally requested and, in turn,    executes the disk boot program which then initiates operating system    boot (in the host computer system).

Said selection of protection options preferably includes the option, byentering a predetermined password, of setting the storage device in“unsupervised mode” whereby interface requests are not intercepted bythe supervising means. The selection may also include the option ofsetting the storage device in “supervised” mode and further selectingone or more active partitions and/or of designating at least one of saidpartitions a Write Many Recoverable (WMR) partition wherein, in use, ifa write command is issued to overwrite any resident information storedin a/the WMR partition by updated information, the updated informationis written on the storage medium in a location other than where anyresident information is stored and a pointer to the updated informationis provided so that the updated information can be accessed, as requiredduring the remainder of a session.

The method may further include storing a Sector Relocation Table (SRT)which contains the pointers associated with each said WMR partition inthe volatile RAM means of the storage device.

Alternatively, the method may include the option of designating at leastone of said partitions a Write Many Recoverable (WMR) partition wherein,in use, if a write command is issued to overwrite (i.e. update) anyinformation stored in a/the WMR partition prior to undertaking saidwrite command said information is copied and stored elsewhere on thestorage medium to be copied back to said WMR partition when required.This could be implemented, for example, by a system reset.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the invention will now be described by way ofexample only, and with reference to the accompanying drawings in which:—

FIG. 1 is a schematic diagram of a hard disk drive according to oneembodiment of the invention;

FIG. 2 is a flow chart illustrating a modified operating boot sequenceimplemented in the hard disk drive of FIG. 1.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 shows a storage device in the form of a hard disk drive 1 forincorporating in a host computer system (not shown). The drive is ofconventional form having one or more disk platters 2 mounted on aspindle motor drive mechanism on a printed circuit board assembly (PCBA)3 having a ROM chip 4 containing firmware for controlling operation ofthe drive, and a RAM chip 5. The drive has an interface connector 6which enables interfacing of the disk drive 1 to the host computersystem, via which interface connector information, including userinformation, operating system information, data and other programs, istransferred to and from the disk platter(s) 2. The PCBA 3 has amicro-controller 7 provided thereon which runs the firmware contained inthe ROM chip 4, accesses the RAM chip 5 and controls the transfer ofinformation, data and/or programs to and from the disk platter(s) viathe interface.

The firmware in the ROM includes “Supervisor” firmware for interceptingand validating each request to the hard disk (from the host computersystem) in a manner previously described in U.S. Pat. No. 5,657,473, thecontents of which are therefore incorporated herein by reference. Theoperation of the disk drive beneficially also includes a method ofcontrolling access to and modification of information stored on the diskplatter(s) of the drive utilising a Write Many Recoverable (WMR)partition (or partitions) as previously disclosed in EP 0 800 135 A1,the content of which is also therefore incorporated herein by reference.

Thus, the supervising means (Supervisor) forms part of the hard driveitself, separate of a central processing unit (CPU) of the host computersystem and inaccessible to the user, the supervising means controllingaccess to information stored on the disk platter(s).

According to the described embodiment, the disk drive operation providesa method giving the user the capability of selecting either an“unsupervised” or “unprotected” mode through entry of a password, orselecting a supervised or “protected” mode with further selection of oneor more active partitions. To do this, a loader means in the form of a“loader sector” is provided in the form of executable code stored in thenon-volatile ROM chip 4, the loader sector acting as a replacement forthe disk boot sector of the active partition on the storage device,whereby each request (by the host computer system) for said disk bootsector is intercepted by the Supervisor and said loader sector issupplied to satisfy the request, the loader sector being executed by theCPU of the computer system in place of the requested disk boot sector,said loader sector transferring a code segment (stored on a reservedtrack therefor on the disk platter s) and referred to in further detailbelow) into RAM of the CPU of the host computer system for executionthereby;

-   said code segment when executed, providing all required user prompts    and communication with the Supervisor required for entry into either    “protected” or “unprotected” mode, such that, subsequent to mode    selection, said code segment executes the original disk boot sector    program which then initiates the process of operating system boot.    This modified operating system boot operation will now be explained    in further detail with reference to FIG. 2 of the drawings which is    a flow chart illustrating this operating system boot sequence.

In the normal operation of a computer system, upon switch on of thesystem (or a request to re-boot the system) the host system centralprocessing unit (CPU) requests the disk boot sector from the bootpartition of a disk platter of the hard drive. In the present invention,the Supervisor intercepts any request for the disk boot sector. Uponinterception of the disk boot sector request, the Supervisor returns theloader means (namely the “loader sector”) stored in the ROM chip 4 inplace of the disk boot sector. The host system will be unaware of thischange having been made and will execute the loader sector which, inturn, transfers a code segment, stored in the storage device, to a RAMin the host computer system. This code segment is stored in a track 8 onthe disk platter (or one of the disk platters) which is reservedtherefor. This track is accessible only to the Supervisor means, being atrack which is outside the area of the disk platter accessible to thehost operating system.

The code segment contains code, to be executed by the host system, whichissues user prompts and which communicates with the Supervisor, in orderto enable the user to set the system in the “protected” mode or“unprotected”, mode, as will be described herebelow.

Once the code segment has been transferred to the RAM of the hostcomputer system it is executed thereby so as to, firstly, establishcommunication with the Supervisor, and then provide a user displayscreen (known as the HARDWALL banner—HARDWALL is a registered trade markof Vircon Limited) which permits the user to select a desired protectionmode, namely either “protected” or “unprotected”. If the user selectsthe “protected” mode the code segment then requests a list of dormantpartitions from the Supervisor and displays them on the screen of thecomputer system and prompts the user to select one or more partitionsfrom the list. Once the user has selected one or more partitions thecode segment informs the Supervisor of this choice. Prior to selecting apartition or partitions, which then become active, the system willpreviously have been configured in terms of partitions and a level ofprotection associated with them. These may be established by means of asoftware utility. In general, there are three types of partition, namelygeneral partitions, read-only partitions and WMR partitions. Typically,a read-only partition and a WMR partition are always available. At thestart of a session, when a general partition (or partitions) is selectedand made active it is granted full read/write access. The remaininggeneral partitions then become dormant whereby the Supervisor preventstheir contents being accessed and hence protects them during thatparticular user session (which lasts until switch-off or re-boot of thecomputer system). Read-only partitions are granted read access only, allwrite commands being prohibited by the Supervisor. The function andfeatures of the Supervisor are disclosed and described in detail in U.S.Pat. No. 5,657,473 (incorporated herein by reference) and will thereforenot be repeated here.

In the preferred embodiment, at the stage of the process where the userselects one or more active partitions, the executed code segment willmake available to the user one or more partitions designated asWrite-Many-Recoverable (WMR) partitions. If a write command is issued bythe host system (e.g. by a user program) to overwrite any residentinformation stored in that WMR partition, the updated information isstored elsewhere on the disk platter(s) in a dedicated area thereof, anda pointer to the updated information is kept (in the RAM chip 5 of thedrive) so the updated information can be accessed as required during theremainder of the session, and wherein a system reset causes the list ofpointers to the updated information, and optionally also the updatedinformation itself, to be cleared. Each WMR partition has a SectorRelocation Table (SRT) associated with it containing the pointers whichdefine the address of a range of sectors in the WMR partition which havebeen updated and an address where the updated information is located.This updated information is located in a dedicated area of the diskplatter(s) which is accessible only to, and is protected by, theSupervisor. This may be achieved by the dedicated area being disposed inan area of the disk platter(s) to which any access by the host system isdenied by the Supervisor, the dedicated area in this manner beingeffectively “hidden” from the host system. Alternatively, the dedicatedarea could be disposed outside the physical area (namely tracks) of thedisk platter(s) which is accessible to the host operating system, in anarea which is accessible only to the Supervisor. The SRT table(s) arestored in the RAM chip 5 of the disk drive 1. The details andimplementation of the WMR technique are disclosed and described indetail in EP 0 800 135 A1, previously referred to and incorporatedherein by reference, and are therefore not described in any furtherdetail herein. It will be appreciated that the WMR facility enables auser to write to the designated WMR partition(s) during a session on thecomputer system, but each time the computer system is re-booted allchanges are erased so as to leave each WMR partition in its originalstate. Typically, the boot partition will be chosen by the user to bedesignated a WMR partition.

In an alternative WMR technique, also described in EP 0 800 135 A1, if apartition is designated as WMR, in use, if a write command is issued tooverwrite (i.e. update) any information stored in a/the WMR partitionprior to undertaking said write command said information is copied andstored elsewhere on the storage medium to be copied back to said WMRpartition when required. This could be implemented, for example, by asystem reset. For the avoidance of doubt, the use of this alternativeWMR is method is also intended to be within the scope of the presentinvention.

The RAM chip 5 is also used to store information regarding theprotection state attributed to each partition in the drive at any giventime, for example which partitions are active and which are inactive,which are WMR partitions, which are read/write accessible, which areread-only, etc. This information, which can be referred to as aPermission Table, is also stored in the RAM chip 5 of the disk drive 1.

Once the active partition(s) have been selected, and any WMR partitions,the code segment transfers the original disk boot sector stored in thedisk drive to the host computer system RAM for execution thereby, theexecuted disk boot sector initiating operating system boot in the hostsystem.

If, at the stage where the user is prompted to select “protected” or“unprotected” mode (i.e. “supervised” or “unsupervised”), the userselects “unprotected”, the code segment prompts the user to enter apassword. The password entered by the user is then transferred to theSupervisor firmware for validation thereby (by matching it against acorrect password stored in the ROM chip 4 of the drive 1). A limitednumber of retries is permitted if the user enters an incorrect password.Once a correct password has been entered and validated, the code segmentprovides the user with the option of requesting to change the password.If such a request is made, the code segment prompts for a new passwordto be entered twice, the two entered passwords then being transferred tothe Supervisor firmware for comparison and storage (in the ROM chip 4 ofthe drive). The Supervisor then enters the “unprotected” or“unsupervised” mode and the code segment proceeds to transfer theoriginal disk boot sector to the host system RAM for execution therebyin order to initiate operating system boot in the host system.

A more detailed description of the above-described embodiment is notgiven herein, as this would be within the normal understanding of aperson skilled in the art.

The embodiment of the present invention includes no physical electroniccomponents that are not present in many commercially available hard diskdrives. The invention requires only the following features in the diskdrive in order to implement the invention thereon:

-   memory locations within the Read Only Memory (ROM) chip 4 to contain    the firmware code to implement Supervisor functionality (the    Supervisor firmware);-   integration of the Supervisor firmware into the existing control    firmware of the hard disk drive, ensuring that no interface request    is serviced before the Supervisor firmware has checked and validated    the request;-   memory locations with the embedded Random Access Memory (RAM) 5 of    the hard disk drive to store the SRT and Permission Table which are    created and maintained during each session on the computer system;-   memory locations within the ROM for the storage of the password for    use in selecting supervised or unsupervised mode;-   memory locations within the ROM 4 for the storage of the loader    sector;-   sectors on the hard disk drive itself for storage of the code    segment which is required to be passed to the computer system and    executed during the initial power up and configuration process, said    sectors being within one or more reserved tracks on the disk surface    which are inaccessible to the host computer system (and any user    programs running therein) and accessible only to the Supervisor.

It should be noted that the Supervisor firmware is configured toprohibit any access to itself, or alteration to itself, by user commands(issued by a user or user program) which attempt to read, corrupt ormodify the Supervisor firmware.

It will be appreciated that, as an alternative to providing theinvention in the drive at manufacture thereof, where a hard drive havingthe necessary features outlined immediately above is provided, theinvention could be implemented by loading the Supervisor firmware intothe disk drive by means of a software utility program in order to obtaina disk drive which operates in accordance with the present invention.Although the Supervisor firmware will preferably be loaded into the ROMof the drive, it is envisaged that some or all of the Supervisorfirmware could be written onto the disk platter(s). In this latter case,any of the Supervisor firmware which is stored on the disk platter(s)will be protected by the Supervisor itself so that a user or userprogram cannot gain read or write access thereto.

The embodiments of the present invention hereinbefore described aregiven by way of example only, and it will be appreciated that variousmodifications thereto will be possible without departing from the scopeof the invention. In particular, the invention is applicable not only tostorage devices in the form of hard disk drives, but also to other typesof storage device. For example, the Supervisor firmware could beincorporated in a solid state storage device, such as a FLASH memorycard. Also, the Supervisor firmware could be stored on an opticalstorage medium, such as a compact disc (CD) or digital video disk (DVD),for use in an optical storage device, e.g. CD or DVD drive. Equally,some or all of the Supervisor firmware could be stored in the ROM of aCD or DVD drive.

1. A storage device for a host computer system, the storage devicecomprising: storage means for storing information; intelligent means forcontrolling the transfer of information to and from the storage means;and interfacing means for interfacing the storage device with the hostcomputer system and via which information is transferred to and from thestorage means under the control of said intelligent means, the storagemeans comprising: a storage medium including a boot partition dividedinto a plurality of sectors, the boot partition including a boot sectorwhere the host computer system seeks code to perform operating systemboot of the host computer system; non-volatile read-only memory (ROM)means for storing firmware for controlling operation of the storagedevice; and volatile random-access-memory (RAM) means; whereinsupervising means is incorporated in said storage means for operatingsaid intelligent means so as to protect information stored in thestorage medium, said supervising means being incorporated at leastpartly as firmware which is stored in said non-volatile ROM means, andwherein the storage device further includes: a host executable codesegment, stored in said storage means, for allowing user control of thesupervising means via the host computer system and for controllinginitiation of operating system boot in the host computer system; andloader means stored in the storage means and comprising host executablecode for loading said code segment to the host computer system andcausing the host computer system to execute the loaded code segment; andwherein said supervising firmware stored in the ROM means is adapted tointercept any request for said boot sector, issued by the host computersystem in use thereof, and to supply said loader means to the hostcomputer system to satisfy the request.
 2. A storage device according toclaim 1, wherein the supervising means is provided wholly as firmwarewhich is stored in said non-volatile ROM means on the storage device. 3.A storage device according to claim 1, wherein the intelligent meanscomprises a microcontroller which runs the supervising firmware storedin the ROM means.
 4. A storage device according to claim 1, wherein thesupervising means operates said intelligent means so as toallow/restrict/prohibit read/write operations upon the storage mediumdepending upon whether information to be read from a sector or writtento a sector is operating system information or user information, whetherthe sector is in the boot partition or in a general partition, andwhether if the partition is a general partition the partition is activeor inactive.
 5. A storage device according to claim 4, wherein thesupervising means also ensures that firmware stored on the ROM means ofthe storage device, which includes the supervisor firmware, is alsoprotected in that a user, or a user program operating in the hostcomputer system, does not have access to the ROM means of the storagedevice itself.
 6. A storage device according to claim 1, wherein thesupervising means is configured so as to cause a warning to be issued tothe user should an attempt be made to perform a prohibited read, writeor format operation.
 7. A storage device according to claim 1, whereinthe supervising means is operable to designate at least one partition ofthe storage device as a Write Many Recoverable (WMR) partition, thesupervising means operating such that, if a write command is issued tooverwrite any information stored in the WMR partition, the updatedinformation is stored elsewhere on the storage medium, and a pointer tothe updated information is provided so the updated information can beaccessed as required during the remainder of the session and wherein asystem reset causes the pointer to the updated information to becleared.
 8. A storage device according to claim 7, wherein the or eachWMR partition has a Sector Relocation Table (SRT) associated therewithwhich is held in said volatile RAM means of the storage device, and eachentry in a said SRT is a pointer which defines the address of a range ofsectors in the WMR partition that have been updated and an address wherethe updated information is located, this location being within adedicated area on the storage medium which is accessed only by thesupervisor means.
 9. A storage device according to claim 1, wherein thesupervising means is operable to designate at least one partition of thestorage device as a Write Many Recoverable (WMR) partition, thesupervising means operating such that, if a write command is issued tooverwrite any information stored in said at least one WMR partition,prior to undertaking said write command said information is copied andstored elsewhere on the storage medium to be copied back to said WMRpartition when required.
 10. A storage device according to claim 1,wherein the loader means is configured to load said code segment to acentral processing unit (CPU) of the host computer system for executionby the host computer system prior to operating system boot.
 11. Astorage device according to claim 10, wherein the loader means isprovided in said non-volatile ROM means of the storage device.
 12. Astorage device according to claim 10, wherein said loader means isprovided in a reserved area on the storage medium, which reserved areais inaccessible to a user or user program.
 13. A storage deviceaccording to claim 10, wherein the code segment is provided in saidnon-volatile ROM means of the storage device.
 14. A storage deviceaccording to claim 10, wherein the code segment is provided in areserved area of the storage medium which is inaccessible to a user oruser program, but is accessible to the supervising means, wherebyunauthorized alteration of the code segment is prevented.
 15. A storagedevice according to claim 1, wherein said host executable code segmentcomprises code for enabling the storage device to be set in either“supervised” mode, in which the supervising means is active, or“unsupervised” mode in which the supervising means is not active.
 16. Astorage device according to claim 15, wherein said code segment, whenexecuted, provides user prompts which allow a user to select said“supervised” mode, or by entry of a password select said “unsupervised”mode, and the code segment is constructed such that, subsequent to modeselection by the user, the code segment transfers a boot program fromthe boot sector of the storage medium and causes the host computersystem to execute said boot program so as to initiate operating systemboot in the host computer system.
 17. A storage device according toclaim 10, wherein said storage device is a hard disk drive and thestorage medium comprises at least one disk platter, and said loadermeans is provided in at least one reserved track of said at least onedisk platter.
 18. A storage device according to claim 1, wherein thestorage device is a hard disk drive.
 19. A storage device according toclaim 18, wherein the storage medium comprises at least one diskplatter.
 20. A storage device according to claim 1, wherein the storagedevice is a solid state storage device.
 21. A storage device accordingto claim 1, wherein the storage device is an optical storage device. 22.A method of controlling access to and modification of information storedon a storage medium of a storage device for incorporation in a hostcomputer system wherein the storage device comprises storage means forstoring information, intelligent means for controlling the transfer ofinformation to and from the storage means, and interfacing means forinterfacing the storage device with the host computer system and viawhich information may be transferred to and from the storage means underthe control of said intelligent means, and the storage means within thestorage device comprises: said storage medium including at least a bootpartition divided into a plurality of sectors, the boot partitionincluding a boot sector where the host computer system will seek code toperform operating system boot of the host computer system; non-volatileread-only-memory (ROM) means (4) for storing firmware for controllingoperation of the storage device; and volatile random-access-memory (RAM)means; the method comprising the steps of: providing supervising meansin said storage means for operating said intelligent means so as toprotect information stored in the storage medium, said supervising meansbeing incorporated at least partly as firmware which is stored in saidnonvolatile ROM means; storing in said storage means a host executablecode segment for allowing user control of the supervising means via thehost computer system and for controlling initiation of operating systemboot in the host computer system; storing in the storage means loadermeans comprising host executable code for loading said code segment tothe host computer system and causing the host computer system to executethe loaded code segment, said supervising firmware stored in the ROMmeans being adapted to intercept any request for said boot sector,issued by the host computer system, and to supply said loader means inresponse to the request; and incorporating the storage device in a hostcomputer system, and running the host computer system with thesupervising means operating said intelligent means so as to protectinformation stored in the storage medium.
 23. A method according toclaim 22, wherein said supervising means is provided forallowing/restricting/prohibiting read/write operations upon the storagemedium depending upon whether information to be read from a sector orwritten to a sector is operating system information or user information,whether the sector is in the boot partition or in a general partition,and whether if the partition is a general partition the partition isactive or inactive, said supervising means intercepting each interfacerequest from the host computer system to said storage device; whereinthe loader means loads said code segment to a_(—)RAM_(—)of a centralprocessing unit (CPU) of the host computer system for execution by thehost computer system prior to operating system boot, and the codesegment, when executed, initiates a user interface procedure whereby auser may select a protection option from a selection of protectionoptions; and wherein, subsequent to a said selection having been made bythe user, said code segment transfers a boot program from the bootsector of the storage medium and causes the host computer system toexecute said boot program so as to initiate operating system boot in thehost computer system.
 24. A method according to claim 23, wherein saidselection of protection options includes the option, by entering apredetermined password, of setting the storage device in “unsupervisedmode” whereby interface requests are not intercepted by the supervisingmeans.
 25. A method according to claim 24, wherein the selection alsoincludes the option of setting the storage device in “supervised” modeand designating at least one partition as a Write MaryRecoverable_(—)(WMR) partition, the supervising means operating suchthat, if a write command is issued to overwrite any resident informationstored in said at least one WMR partition by updated information, theupdated information is written on the storage medium in a location otherthan where any resident information is stored and a pointer to theupdated information is provided so that the updated information can beaccessed as required during the remainder of a session.
 26. A methodaccording to claim 25, further including storing a Sector RelocationTable (SRT) which contains the pointers associated with each said WMRpartition in the volatile RAM means of the storage device.
 27. A methodaccording to claim 24, further including the option of setting thestorage device in “supervised” mode and designating at least one of saidpartitions a Write Many Recoverable (WMR) partition wherein, in use, ifa Write command is issued to overwrite any information stored said atleast one MMR partition, prior to undertaking said write command saidinformation is copied and stored elsewhere on the storage medium to becopied back to said WMR partition when required.
 28. A computer system,comprising: (a) a processor; and (b) a storage device communicablycoupled to the processor, the storage device comprising: (i) storagemeans for storing information, comprising: (A) a storage mediumincluding a boot partition divided into a plurality of sectors, the bootpartition including a boot sector capable of permitting the processor toseek code at the boot sector to perform operating system boot of thecomputer system; and (B) non-volatile read-only memory (ROM) means forstoring firmware for controlling operation of the storage device (ii)intelligent means for controlling the transfer of information to andfrom the storage means; and (iii) interfacing means for interfacing thestorage device with the processor and via which information istransferred to and from the storage means under the control of theintelligent means, wherein the storage means further comprises: (C)supervising means for operating the intelligent means to protectinformation stored in the storage medium, the supervising means beingincorporated at least partly as firmware which is stored in thenon-volatile ROM means, wherein the storage device further comprises:(iv) an executable code segment, stored in the storage means, forallowing user control of the supervising means via the processor and forcontrolling initiation of operating system boot in the computer system;and (v) loader means stored in the storage means and comprisingexecutable code for loading the code segment to the processor andcausing the processor to execute the loaded code segment; and whereinthe supervising firmware stored in the ROM means is adapted to interceptany request for the boot sector, issued by the processor in use thereof,and to supply the loader means to the processor to satisfy the request.